CVE-2024-5561 highlights a critical flaw in the Popup Maker plugin, a popular WordPress plugin used by over 700,000 websites to create and manage popups. This vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript (JS) code. Exploited by someone with editor-level permissions, this flaw can result in complete account takeover and the creation of backdoors, leading to long-term control over the compromised WordPress site.
| CVE | CVE-2024-5561 |
| Plugin | Popup Maker < 1.19.1 |
| Critical | High |
| All Time | 15 972 678 |
| Active installations | 700 000+ |
| Publicly Published | August 19, 2024 |
| Last Updated | August 19, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5561 https://wpscan.com/vulnerability/6a87cc25-bd7d-40e3-96f9-26646cd6f736/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| May 28, 2024 | Plugin testing and vulnerability detection in the Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder have been completed |
| May 28, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| August 19, 2024 | Registered CVE-2024-5561 |
Discovery of the Vulnerability
During routine security testing, a severe vulnerability was discovered in the Popup Maker plugin. The flaw resides in the plugin’s subscription form feature, which allows users to customize the success message that appears after a form is submitted. Through insufficient input sanitization, the “Success Message” field can be manipulated to execute malicious JavaScript code.
A proof-of-concept (PoC) demonstrated that by inserting a shortcode such as [pum_sub_form name_field_type="fullname" label_name="Name"...] into a new post and modifying the “Success Message” field in the plugin’s settings with a payload like <img src=x onerror=alert(1)>, an attacker could trigger the XSS script. When the form is submitted, the script is executed in the context of the site admin’s browser, potentially leading to account hijacking or the creation of an unauthorized admin account.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are a common threat in WordPress, especially with the extensive use of third-party plugins. XSS allows attackers to inject and execute untrusted scripts within a trusted website. In the case of the Popup Maker plugin, the vulnerability stems from improper sanitization of user inputs within the settings field, allowing attackers to insert JavaScript that executes when the form is submitted.
Real-world examples of XSS vulnerabilities often involve attackers stealing session cookies, hijacking user accounts, or inserting scripts that can perform unauthorized actions like changing site settings or installing malware. The stored XSS vulnerability in Popup Maker is particularly dangerous because it allows attackers with editor-level access to execute scripts that could gain higher privileges, leading to site-wide compromise.
Exploiting the XSS Vulnerability
Exploiting CVE-2024-5561 involves using the plugin’s subscription form feature, combined with injecting a malicious payload into the “Success Message” field. The attacker first creates a new post with a shortcode for the subscription form, then navigates to the plugin’s settings and alters the success message to include a script like <img src=x onerror=alert(1)>. Once the message is saved, the malicious script will be executed whenever the subscription form is submitted, giving the attacker control over the admin’s session or enabling them to create backdoors.
Because the vulnerability allows the insertion of custom JavaScript, more complex payloads could be designed to steal authentication cookies, change WordPress configurations, or create additional administrator accounts. This would allow attackers to maintain persistent control over the site long after the initial exploit.
POC:
You should create new post with following shortcode - [pum_sub_form name_field_type="fullname" label_name="Name" label_email="Email" label_submit="Subscribe" placeholder_name="Name" placeholder_email="Email" form_layout="block" form_alignment="center" form_style="default" privacy_consent_enabled="yes" privacy_consent_label="Notify me about related content and special offers." privacy_consent_type="radio" privacy_consent_radio_layout="inline" privacy_consent_yes_label="Yes" privacy_consent_no_label="No" privacy_usage_text="If you opt in above we use this information send related content, discounts and other special offers."]. Go to the settings of the plugin and change "Success Message" in Subscriptions section field to "Malicious JS code eval() and etc. For example <img src=x onerror=alert(1)>" -> Save Settings (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-5561 are significant, especially given the high number of installations (over 700,000). Successful exploitation could lead to an attacker gaining unauthorized access to the WordPress site, creating persistent backdoors, or even defacing the site. Additionally, the site could be used to distribute malware or launch further attacks on visitors or customers.
In real-world scenarios, attackers could exploit this vulnerability to perform mass defacement or inject code that redirects users to phishing sites. For e-commerce sites, the theft of customer data and financial information is a real concern. With the ability to create new admin accounts, the attacker can continue exploiting the site without detection, making this vulnerability a serious threat for high-traffic or business-critical websites.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2024-5561, WordPress site administrators should immediately update the Popup Maker plugin to the latest version once a patch is available. It is crucial that the plugin developers implement input sanitization measures, ensuring that fields like the “Success Message” cannot accept or execute harmful scripts.
Additionally, administrators should review user roles and permissions, particularly for editors, and restrict the ability to use unfiltered HTML or JavaScript. Implementing a web application firewall (WAF) can further protect sites by blocking XSS attempts before they can be executed. Finally, administrators should monitor their WordPress sites for unusual activity, such as new accounts being created or settings being altered without authorization.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-5561, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #VeryHighVulnerability
Use CleanTalk solutions to improve the security of your website
ARTYOM K.
